> didn't patch its servers for years. One had a 1400 day uptime

Well, this isn't exactly the best practice to follow - but, yes, this is very common, and it works (until someone finds that there's a vulnerability to exploit). So, from a purely practical perspective - software updates are certainly not a hard requirement, one can do quite well without them (just be aware about the risks).

Anyway, there are many fairly age-tested solutions for updating software on the fly, live kernel patching and live network sockets included.

And a lot of cloud software updates (e.g. managed databases) incur noticeable downtime so you need a failover (and appropriate software design that can survive it). But then you can do the very same thing with two servers, no cloud magic necessary.

Hardening servers isn't as hard as it used to be. Ansible does a pretty good job and there are several examples of using it to harden your server. If you are using a VPS .. you could use packer and start with a fleet of servers based on your custom image.

Oh, I don't disagree, I just meant it can be as complex as you want it to be. Hardening is just a rabbit hole that can go on almost forever - it's never really final until you declare that enough is enough, typically there's always something more one can do, if they have time and capacity.

Also, out-of-box distributions those days can be said to be already "hardened" compared to what we had 15 years ago.